Hello so here's my big pain in the arse problem...
Suddenly my antivir antivirus disapears, i go and check and all the files are there except for the exe's, wierdd.... then i download to install it again and it can't create the exe's, so i download AVG, and it can't create exe's and i download avira, and kaspersky, and it can't create exe's, and norton antivirus and it can´t create exe's, so i think maybe it's because i didn't unistall the first antivirus well, so i go to their page and download the removal tool, but guess what?? NO LUCK THERE!! Retried every one of them and same problem, cant create exe's, and then i finally found you page, the solution to all my problems and i download your software and guess what... IT DOESN't CREATE THE F'ING EXE's, ore even beter i think it does create but then deletes them, i don't know, i'm tired and i can't find a solution, i've tried it all, and whatever this thing is, it's f***ing smart cuz i can't even login to safe mode i get a blue screen for a nanosecond and it reboots back to the F8 screen.

My best regards, and hijack log!


Logfile of HijackThis v1.99.1
Scan saved at 9:52:54, on 23-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\cmd.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programas\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\Programas\Windows Live Mail desktop\wlmail.exe
C:\Programas\UltraFXP\UltraFxp.exe
C:\Programas\Microsoft Office\Office12\WINWORD.EXE
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Bowlfish\eMule.exe
C:\Documents and Settings\Proprietário\Os meus documentos\My Downloaded Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programas\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programas\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programas\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [VoipBuster] "C:\Programas\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\programas\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://sissis5.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geoweb.pt/vector2/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165876202470
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programas\Windows Live Mail desktop\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FICHEI~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programas\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

The virus log is attached... it's huge, i've got Win32.Bagle off all kinds and trojans... and i cant get tid of anything cuz i cant install the antivirus... f***ing hell what should i do.


PLEASE HELP ME!

Dude .... anyone?
Where's that team spirit? :sad:

Hello.

Sorry for the wait and please do read this topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Our volunteers are in different time zones, one will assist you as soon as available, hang in there. :)

Welcome to the forum, first let me say this is a new one on me and I have no idea if I can help you or not. If you will follow directions I will give it a try.

1) Keep the computer offline as much as possible until you are clean, this junk will attract more.

2) Start > Run > type "msconfig" without the quotes then OK. When the System Configuration Utility opens, choose Normal Startup, then Apply and OK your way out. You may return to Selective Startup to save your resrouces when we are finished.

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Thanks to andymanchesta and anyone else who helped with the fix.

5) Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


(save the reports and logs until we finish)

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programas\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programas\Free Download Manager\dllink.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\spool\ <<< delete that folder (should be gone just do not miss it)

8) Follow the directions in this link, make sure you delete or at least quarantine anything the program locates and save the scan report!!
http://forums.security-central.us/showthread.php?t=3165

9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post Report.txt from SDFix, the scan results from AVG Anti-Spyware and a new HJT log. Let me know how the computer is running now.

Thanks

i'd already mentioned "i can't even login to safe mode i get a blue screen for a nanosecond and it reboots back to the F8 screen."

So i guess you're solution fails me in step 5 :(

If this helps, safe mode crashes while it says loading STPD.sys, then i get a blue screen, a reboot, and back to the F8 menu!

See if any of this information helps: http://www.google.com/search?hl=en&q=STPD.sys&btnG=Google+Search

You can try System File Checker in case a Windows file is corrupt:
http://www.updatexp.com/scannow-sfc.html
Make sure you have your Windows CD on hand in case you need it.

You may want to start thinking about a reformat, try the rest of the instructions and see what happens.

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.