View Full Version : Virtumonde or other nasty virus
Hi,
I've used Dr. Web Cure It and Vundo Fix, but have not achieved the desired result of ridding my computer of the virus. I am using the beta version of Hijack This.
I keep getting unwanted messenger service pop ups, and it seems that IEXPLORE.EXE keeps opening IE web pages without my consent.
Is there any way possible to identify who created this virus? They should go to jail.
I appreciate your help and look forward to your instructions! Thanks!
Hello Motoman,
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
Really can't offer you any help until I see a Hijackthis log
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
Here you go:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:40:58 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Alex\Desktop\problems.exe.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47473506-841B-425E-9399-23C6A0ED4FD4} - C:\WINDOWS\System32\mljjj.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\System32\somqjmwr.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\lpqpuhdr.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\ekjewvhe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
--
End of file - 3477 bytes
You have a pretty lean log :bigthumb:
Combofix will take care of an infection you have.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I can't see where you have HJT installed.
We need it to have HJT in its own folder for backup purposes. I would prefer that you delete HJT from where you have it installed and re install it like this
Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)
Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.
This is important
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
Here you go:
ComboFix 07-09-14.2 - "Alex" 2007-09-15 15:11:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.297 [GMT -5:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\Alex\MYDOCU~1\ASEMBL~1
C:\DOCUME~1\Alex\MYDOCU~1\ASEMBL~1\a?sembly\
C:\DOCUME~1\Alex\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Alex\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Alex\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\SYSTEM32\avhbdwpb.ini
C:\WINDOWS\system32\bpwdbhva.dll
C:\WINDOWS\system32\fcitclxr.exe
C:\WINDOWS\system32\fmwbrjeh.exe
C:\WINDOWS\SYSTEM32\jjjlm.bak1
C:\WINDOWS\SYSTEM32\jjjlm.bak2
C:\WINDOWS\SYSTEM32\jjjlm.ini
C:\WINDOWS\SYSTEM32\jjjlm.ini2
C:\WINDOWS\SYSTEM32\jjjlm.tmp
C:\WINDOWS\system32\lpqpuhdr.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\nfktstfk.exe
C:\WINDOWS\SYSTEM32\rdhupqpl.ini
C:\WINDOWS\system32\somqjmwr.dll
C:\WINDOWS\system32\tsuubbcr.exe
C:\WINDOWS\system32\vpeklxqm.dll
C:\WINDOWS\system32\vpxayemk.dll
C:\WINDOWS\system32\wuikhgwl.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.
2007-09-15 15:10 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 12:17 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Viewpoint
2007-09-14 00:32 33,792 --a------ C:\WINDOWS\ieuninst.exe
2007-09-13 23:19 <DIR> d-------- C:\VundoFix Backups
2007-09-13 06:03 <DIR> d-------- C:\DOCUME~1\Alex\DoctorWeb
2007-09-09 15:50 <DIR> d-------- C:\Program Files\Google
2007-09-09 15:50 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Google
2007-09-09 15:49 13,416,432 --a------ C:\Program Files\Google_Earth_BZXD.exe
2007-09-05 23:24 <DIR> d-------- C:\Deserted Seas
2007-09-03 19:57 2,109,802 --ahs---- C:\WINDOWS\SYSTEM32\mlnmp.ini2
2007-09-03 10:27 <DIR> d-------- C:\WINDOWS\backups
2007-09-01 20:51 2,088,520 --ahs---- C:\WINDOWS\SYSTEM32\mlnmp.bak1
2007-08-25 01:49 28,352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
2007-08-20 22:10 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-20 07:59 1,893,383 --a------ C:\Program Files\stinger.exe
2007-08-18 11:58 <DIR> d-------- C:\WINDOWS\pss
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 21:25 --------- d-------- C:\Program Files\eMule
2007-09-08 11:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-04 07:50 --------- d-------- C:\Program Files\MUSICMATCH
2007-09-03 14:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 22:55 17 --a------ C:\Program Files\stinger.opt
2007-08-25 01:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 18:25 --------- d-------- C:\Program Files\HP DeskJet 710C Series
2007-08-23 18:24 --------- d-------- C:\Program Files\Dynamics Student Version 6.0
2007-08-23 15:38 --------- d-------- C:\Program Files\Real Alternative
2007-08-23 15:38 --------- d-------- C:\Program Files\Qwest QuickConnect
2007-08-20 22:30 --------- d-------- C:\Program Files\settings part bags
2007-08-01 07:45 --------- d-------- C:\Program Files\Audible
2007-08-01 07:11 --------- d-------- C:\DOCUME~1\Alex\APPLIC~1\AdobeUM
2007-07-31 21:31 --------- d-------- C:\DOCUME~1\Alex\APPLIC~1\eMule
2007-07-30 18:58 --------- d-------- C:\Program Files\MSN Messenger
2007-07-30 14:37 --------- d-------- C:\Program Files\Support.com
2007-07-30 14:15 27917104 --a------ C:\Program Files\downloadable_install_wizard.exe
2007-06-16 10:37 45056 --a--c--- C:\WINDOWS\NCUNINST.EXE
2006-07-01 00:59 3886407 --a------ C:\Program Files\tvc.exe
2006-06-30 23:09 98377 --a------ C:\Program Files\flvplayer_sources.zip
2006-02-05 23:15 1094021 --a------ C:\Program Files\dvdshrink32setup.zip
2005-10-13 17:28 4878136 --a--c--- C:\Program Files\Firefox Setup 1.0.7.exe
2005-08-23 17:59 5213 --a------ C:\Program Files\acttmp.dat
2005-08-23 17:58 1220 --a--c--- C:\Program Files\sonoma.conf
2005-06-13 09:37 173176 --a--c--- C:\Program Files\TSCC.codec.exe
2005-05-20 10:39 174677 --a------ C:\Program Files\GSpot.zip
2005-02-24 23:07 12637989 --a--c--- C:\Program Files\dBpowerAMP.Music.Converter.11.[Most.Used.Codecs.Included].rar
2005-02-06 19:26 107 --a--c--- C:\Program Files\Serial Iso Buster 1.6.txt
2005-02-03 01:49 30399114 --a--c--- C:\Program Files\Ahead.Nero.Burning.ROM.v6.6.0.6.Ultra.Edition.ORION.rar
2005-01-28 03:00 80 --a--c--- C:\Program Files\Boilsoft Rm Converter 2.21 Serial.txt
2005-01-22 18:30 1146750 --a--c--- C:\Program Files\audio.playback.recorder.3.6.crack-rev.rar
2005-01-03 23:57 487544 --a--c--- C:\Program Files\msgr6suite.exe
2004-12-13 20:51 3176857 --a------ C:\Program Files\JOINER.zip
2004-10-31 22:01 9449398 --a--c--- C:\Program Files\DIKOSetup.exe
2004-10-26 22:28 916452 --a--c--- C:\Program Files\DSD.EXE
2004-10-26 03:57 1228 --a--c--- C:\Program Files\INSTALL.LOG
2004-10-26 03:55 323110 --a--c--- C:\Program Files\pclepim1.exe
2004-10-13 23:32 1086226 --a--c--- C:\Program Files\ac3tool10.exe
2004-10-04 02:41 827855 --a--c--- C:\Program Files\SetupDVDDecrypter_3.5.1.0.exe
2004-09-20 23:10 8414880 --a--c--- C:\Program Files\TMPGEnc-2.521.58.169-Plus-EN-Installer-DL.exe
2004-09-18 20:34 344892 --a--c--- C:\Program Files\defs.zip
2004-09-16 17:10 370688 --a--c--- C:\Program Files\befsr-v1.46.02_code.bin
2004-09-16 08:48 67072 --a------ C:\Program Files\NOTEPAD.EXE
2004-09-16 01:18 193152 --a--c--- C:\Program Files\aviwav33.zip
2004-09-16 01:11 7680064 --a--c--- C:\Program Files\DivX521XP2K.exe
2004-09-15 09:32 10135688 --a--c--- C:\Program Files\MPSetupXP.exe
2004-09-14 21:59 2064870 --a--c--- C:\Program Files\ffdshow-20040828.exe
2004-09-14 21:35 1999576 --a--c--- C:\Program Files\ffdshow-20040725.exe
2004-09-12 22:46 614943 --a--c--- C:\Program Files\lame-3.96.1.zip
2004-09-08 02:18 4354084 --a--c--- C:\Program Files\spybotsd13.exe
2004-08-01 18:55 1004712 --a--c--- C:\Program Files\wrar330.exe
2004-05-06 22:43 2374 --a--c--- C:\DOCUME~1\Alex\sysdump.bin
2004-04-11 21:59 1291040 --a--c--- C:\Program Files\WindowsXP-KB823980-x86-ENU.exe
2004-04-04 23:16 1140084 --a--c--- C:\Program Files\Ares 1.81 setup.exe
2004-04-04 19:37 6262872 --a--c--- C:\Program Files\psa2se_us.exe
2004-04-04 19:37 16706160 --a--c--- C:\Program Files\AdbeRdr60_enu_full.exe
2004-03-19 22:26 14975879 --a--c--- C:\Program Files\stcd3setup_sonic.exe
2004-03-03 20:17 4304896 --a--c--- C:\Program Files\all_plugins.exe
2004-03-03 20:02 836608 --a--c--- C:\Program Files\iview385.exe
2004-03-03 18:17 7788331 --a--c--- C:\Program Files\Nimo50Build9Beta1.exe
2004-03-03 18:16 246816 --a--c--- C:\Program Files\DivXLight-511.exe
2004-03-03 04:46 217329 --a--c--- C:\Program Files\gspot221.exe
1998-02-10 18:34 128000 --a--c--- C:\Program Files\UNWISE.EXE
2005-10-23 04:02:09 10,022 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 11:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 11:20]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-06-20 23:41:44]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]
C:\DOCUME~1\Alex\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]
C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-06-20 23:41:44]
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk.disabled
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnk.disabledCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bihbaw]
C:\WINDOWS\?dobe\??chost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule2]
"C:\Program Files\ISM\ISMModule2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"kdx"=C:\WINDOWS\kdx\KHost.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"DVDSentry"=C:\WINDOWS\System32\DSentry.exe
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"MCUpdateExe"=C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
"MCAgentExe"=c:\PROGRA~1\mcafee.com\agent\McAgent.exe
"McRegWiz"=c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe
S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe
S2 HPFECP13;HPFECP13;C:\WINDOWS\System32\drivers\HPFECP13.SYS
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\System32\DRIVERS\el90xnd5.sys
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 15:15:27
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-15 15:16:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 15:15
.
--- E O F ---
AND
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:14 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
--
End of file - 2770 bytes
Thanks for your help!!!
Thanks for your help!!! No problem
Combo removed DOMAINSERVICE Which was a virus.
Svchost.exe resides in the system32 folder, any other place and its a virus. This is what we need to do.
Go to Start> Run and type in services.msc then press Enter
Scroll down to .NET Framework Service
Double Click that service to open it.
Click on Stop Service.
Then change the Startup Type to Disabled.
OK your way out of the program.
Open HJT > Misc Tools > Delete an NT Service
Type in .NET Connection Service
Then click on OK, it will ask you to reboot, do so.
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\svchost.exe
Folders to delete:
C:\Program Files\WinPop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
There is still a few things we need to remove, one step at a time, I don't want to overwhelm you
Let me see the Avenger log and a new HJT log please
After I clicked the green light icon in Avenger, I hit yes once, and when I tried to hit yes a second time, I got this error message:
Error code: 0
Error logged to errorlog.txt. Aborting now!
Thats a new one on me, try this program instead.
Do this after you disable the service
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\svchost.exe
C:\Program Files\WinPop
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Hi,
I had a problem with OT Moveit, so I tried Avenger again, and it seemed to work! Below are the text files you requested:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jpsbqadx
*******************
Script file located at: \??\C:\WINDOWS\System32\cxanjoys.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\svchost.exe not found!
Deletion of file C:\WINDOWS\svchost.exe failed!
Could not process line:
C:\WINDOWS\svchost.exe
Status: 0xc0000034
Folder C:\Program Files\WinPop not found!
Deletion of folder C:\Program Files\WinPop failed!
Could not process line:
C:\Program Files\WinPop
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
AND
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:50 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
--
End of file - 2603 bytes
Lets try looking yourself and make sure there gone.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Delete them if present
C:\WINDOWS\svchost.exe Be careful of this one because the one in windows\system32 is legit.
C:\Program Files\WinPop
REGEDIT4
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
Although your log looks clean, I see a marker in combofix for the Lop infection, lets run this tool and make sure its not present.
Please Download No Lop (http://www.spywareedge.net/nolop/NoLop.exe) to your desktop
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labeled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program.
Post the NoLop log and let me know how your system is running now.
Lets try looking yourself and make sure there gone.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Delete them if present
C:\WINDOWS\svchost.exe Be careful of this one because the one in windows\system32 is legit.
C:\Program Files\WinPop
REGEDIT4
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
Although your log looks clean, I see a marker in combofix for the Lop infection, lets run this tool and make sure its not present.
Please Download No Lop (http://www.spywareedge.net/nolop/NoLop.exe) to your desktop
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labeled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program.
Post the NoLop log and let me know how your system is running now.
Hi again. Here's the text file:
NoLop! Log by Skate_Punk_21
Please Note: any existing old logs will have now been renamed to NoLop!OLD.log
Fix running from: C:\Documents and Settings\Alex\Desktop
[9/16/2007]
[1:06:04 AM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Sonic
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Alex\Application Data\Adobe
C:\Documents and Settings\Alex\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Alex\Application Data\Ahead
C:\Documents and Settings\Alex\Application Data\Apple Computer
C:\Documents and Settings\Alex\Application Data\Arcsoft
C:\Documents and Settings\Alex\Application Data\Cyberlink
C:\Documents and Settings\Alex\Application Data\Emule
C:\Documents and Settings\Alex\Application Data\Fotowire
C:\Documents and Settings\Alex\Application Data\Google
C:\Documents and Settings\Alex\Application Data\Help
C:\Documents and Settings\Alex\Application Data\Hp
C:\Documents and Settings\Alex\Application Data\Identities
C:\Documents and Settings\Alex\Application Data\Image Zone Express
C:\Documents and Settings\Alex\Application Data\Jasc
C:\Documents and Settings\Alex\Application Data\Jasc Software Inc
C:\Documents and Settings\Alex\Application Data\Lavasoft
C:\Documents and Settings\Alex\Application Data\Macromedia
C:\Documents and Settings\Alex\Application Data\Media Player Classic
C:\Documents and Settings\Alex\Application Data\Microsoft
C:\Documents and Settings\Alex\Application Data\Mozilla
C:\Documents and Settings\Alex\Application Data\Msninstaller
C:\Documents and Settings\Alex\Application Data\Real
C:\Documents and Settings\Alex\Application Data\Sonic
C:\Documents and Settings\Alex\Application Data\Sony Corporation
C:\Documents and Settings\Alex\Application Data\Sun
C:\Documents and Settings\Alex\Application Data\Viewpoint
C:\Documents and Settings\Alex\Application Data\Vlc
C:\Documents and Settings\Alex\Application Data\Yahoo!
C:\Documents and Settings\Alex\Application Data\Yahoo! Messenger
C:\Documents and Settings\Alex.motopimp\Application Data\Microsoft
C:\Documents and Settings\Alex.motopimp\Application Data\Real
C:\Documents and Settings\Alex.motopimp\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Dell
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Jasc Software Inc
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Real
C:\Documents and Settings\Default User\Application Data\Sonic
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
My computer seems to be running better now!
I have one concern though about this part that you asked me to perform:
Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
We got rid of the WinPop file and the mljjj file, but now according to your instructions, it appears that we are adding them back into my registry? Could you please explain this? Thanks so much for all of your help!!!
How to delete keys and values from the registry:
Create a reg file like this, notice the hyphen inside the first bracket
REGEDIT4
[-HKEY_CURRENT_USER\SomeKey] Notice the - sign inside the bracket. This will remove them, But if you feel uncomfortable with this you can bypass it.
How is everything running now??
My computer seems to be running a lot better, thanks!!! Internet Explorer is no longer starting automatically like before, and I am no longer receiving the annoying 'messenger service message pop ups'.
I still have a text file named "check_LSA7", and I noticed in the regfix file we have Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj
I suspected that this text file is associated with the virus. Should I also delete this text file? Also, is this text file responsible for the production of the mljjj file?
Thanks!!!
mljjj This was part of the infection you had, yes delete them both.
Glad things are better :bigthumb:
Red Alert! Code Blue! Emergency! I performed the regedit fix (where I copied and pasted the text you had indicated to a notepad file and named it regfix), and now after I rebooted my computer, I get a stopping error (the red button with the white X) that says, “lsass.exe-system error object not found”. Windows won’t even start now! I tried re-installing windows (which is a valid legal version), and I keep getting this same error message! I am in panic mode right now, and would greatly appreciate any help to resolve this. :oops: Thanks.
Restart your computer and immediately tap the F8 key, it will bring up a menu, use your up and down arrow keys to scroll to LAST KNOWN GOOD and hit enter on your keyboard.
I tried that, and still no luck. I get the same error message.
I don't know what the configuation is on your computer but try starting it and look for the set up key, may be F1 or F2 and try getting into the Recovery Mode and do a Repair.
It looks like you did the regfix and all was well, did this happen after you deleted check_LSA7?
Using the F8 key, are you able to get into safemode. Normally if you can get into safemode you can restart your computer and it will boot normally. Once in windows try doing a system restore.
Go to Start> Control Panel> ( you need to be in Catagory View) Performance and Maintenance> System Restore> Restore My Computer to an Earlier Time
If not the best way to go is to do a repair of windows, this is not a full reinstall, it just repairs your current copy of windows.
http://www.help2go.com/Tutorials/Windows/How_To_Repair_XP_and_Avoid_a_Full_Reinstall.html
http://www.michaelstevenstech.com/XPrepairinstall.htm
Let me know if this helped
Hi there. I’m at work right now, so I won’t be able to try the recovery mode until after 6pm CST this evening. I’m not sure what you’re referring to about my configuration, but I have Windows XP Pro-Service pack 1. I didn’t go to Service pack 2, because I thought it could create problems. I never had the check_LSA7 text file before showing with other folders on my C (hard) drive, and when I right clicked and checked properties, it was created in September 2007, so I suspected it was part of the virus. I purchased my computer in 2004, and the majority (if not all) of my system files have 2004 creation dates. I could not delete, nor could I read the check_LSA7 text file before using Combo fix and No Lop, because I received the message “In use by another program or user…” I suspect my problems of rebooting started happening, either when I did the registry fix, or possibly when I deleted the check_LSA7 text file. I deleted the check_LSA7 text file and did the registry fix all at the same time within a couple minutes, before trying to reboot again. Also, I did reverse the process and hide the operating system files with the 2 or 3 checkboxes like you had suggested. Thanks.
I am talking about as your computer starts the boot process, it usually flashes on the screen " Press F1 for Setup" and I am not sure what your system requires for that.
Another thing to try.
Restore from Erunt Backups via Recovery Console
If Windows will not load, the user will need to boot from the Windows Install disc. The erunt backups can then be accessed via the Recovery Console.
If the user does not have a Windows Install disc, they can create a bootable disc. The simplest way is to download & burn this onto a cd > http://www.atribune.org/downloads/rc.iso
1. Insert Windows Install disc to boot from CD.
2. Press any key on the keyboard when prompted.
3. Press R to load the Recovery Console.
4. Enter your password when prompted.
5. You must enter which Windows installation to log onto. Type 1 and press enter.
6. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\subs
7. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
8. The erunt backups will begin copying.
9. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading
Motoman,
You had the Vundo trojan that embedded it self in that registry key, I would like you to post here, they are windows experts and will get you back up and running.
Windows Helpnet (http://www.windowsbbs.com/) This forum is free and one of the better ones on the internet for windows problems. Post in the Windows XP forum.
Tell them in the process of removing the Vundo trojan, you now have this error
“lsass.exe-system error object not found”.
Motoman,
How are you doing? Are you up and running??
This topic has been moved to archives for now.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.