Computer Will Not Boot...

T

teddings

New member
.....or reboots automatically. I have tried a few things....CCleaner, Spybot, and Lavasoft Ad-Aware. Everytime I think I got it to finally boot, it reboots itself! I was told to try Spy Sweeper and Registry Mechanic...but I'm not even sure how to get those on the computer when it is in Safe Mode. I do keep noticing Smitfraud-C when I run Spybot and it can't clean it. What should I try? I'm not even sure how to get the log tracker on the machine. I'd like to fix it just to show up the guy at Queek Squad that just laughed at my Toshiba Tecra Laptop and pointed me to a $1700 computer.:mad:

Any guidance or help would be appriciated...I have read through some threads and it seems like I need to post a log.

Thanks
 
teddings said:
Any guidance or help would be appriciated...I have read through some threads and it seems like I need to post a log.
Click to expand...

Hello,

"BEFORE you POST" Mandatory Steps Before Requesting Assistance

If you are able to:
  • Run the on-line anti virus scan.
  • Run HJT from it's own folder, post HJT log and result of AV scan here.

Note:
If you have difficulty in downloading HJT to the problem machine, you can download to a clean PC if one is available.

Burn to disc or load on floppy
Upload to the affected machine
Place HJT into own folder
Run HJT on the infected PC and post the log you produce using the clean PC.

Then a helper will advise you as soon as available. If you cannot do any of the above let us know.

Regards.
 
Infected with Trojans and other Nasties

Here is where I am at...still can't boot normally after:

1. I ran SmitfraudFix
2. Ran SpyBot (this time I didn't get the error saying it couldn't delete the winsys2f.dll file)
3. Ran Online Panda Scan (Safe Mode w/ Networking)
4. Ran HJT (Safe Mode w/ Networking)
5. .....here is my Panda Scan log and HJT log:

Panda Scan Log


Incident Status Location

Virus:W97M/Metys.B Disinfected Personal Folders\Sent Items\Templates\Standard Templates.zip[MtgNotes 2000-02-16 (On-Site Consulting).doc]
Virus:W97M/Metys.B Disinfected Personal Folders\Sent Items\Templates\Standard Templates.zip[Action Items Ongoing Tech Support.doc]
Virus:W97M/Metys.B Disinfected Personal Folders\Sent Items\Facilities/CAD Planner Resume\Resume Todd Eddings.doc
Virus:W97M/Metys.B Disinfected Personal Folders\Sent Items\Todd's Resume\Resume.zip[Resume TE NEW2.doc]
Virus:W97M/Metys.B Disinfected Personal Folders\Sent Items\Todd's Resume\Resume.zip[Resume TE NEW.doc]
Potentially unwanted tool:Application/Processor Not disinfected C:\apps\SmitfraudFix\Process.exe
Virus:Trj/Agent.DXB Disinfected C:\arykcd.exe
Adware:Adware/RegistryCleaner Not disinfected C:\dagkkdcb.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\administrator.TEDDINGS\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\administrator.TEDDINGS\Cookies\administrator@empnads[1].txt
Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\administrator.TEDDINGS\Local Settings\Temporary Internet Files\Content.IE5\1RGW5LNV\silent_setup[1].exe.vir
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Default User\Cookies\teddings@ad.yieldmanager[1].txt
Virus:Trj/Downloader.MPR Disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\166D69QU\ac4[1].txt
Virus:Trj/Alanchum.TM Disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\22TZEMJG\via[1].exe
Virus:W97M/Metys.B Disinfected C:\Documents and Settings\teddings.TEDDINGS3\My Documents\Resume.zip[Resume TE NEW2.doc]
Virus:W97M/Metys.B Disinfected C:\Documents and Settings\teddings.TEDDINGS3\My Documents\Resume.zip[Resume TE NEW.doc]
Virus:Trj/Sinowal.DU Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Virus:Trj/Sinowal.DU Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1670OinAdmin.exe
Adware:Adware/888Bar Not disinfected C:\Program Files\Common Files\{300B967E-016E-1033-0709-9909990001}\UnInstall.exe
Virus:Trj/Clicker.YB Disinfected C:\Program Files\microsoft frontpage\lawuh.dll
Adware:Adware/DeluxeComunications Not disinfected C:\svhost.exe
Virus:Trj/BZub.M Disinfected C:\WINNT\7qkssx0w.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\EliteToolBar\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\EliteToolBar\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\EliteToolBar\xml\images\drugs.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\EliteToolBar\xml\images\fav.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\EliteToolBar\xml\images\virus.bmp
Spyware:Spyware/New.net Not disinfected C:\WINNT\NDNuninstall6_38.exe
Virus:Trj/BZub.M Disinfected C:\WINNT\qo3uyc6o.exe
Adware:Adware/NewAds Not disinfected C:\WINNT\stub_mma3.exe
Virus:Trj/Agent.EDT Disinfected C:\WINNT\system32:lzx32.sys
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\awtursp.dll
Virus:Trj/Spammer.EV Disinfected C:\WINNT\system32\aybgxus.sys
Virus:Trj/Downloader.CJX Disinfected C:\WINNT\system32\a_i_037.dll
Spyware:Spyware/New.net Not disinfected C:\WINNT\system32\bund1\2new.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINNT\system32\bund1\ClientBundle1.exe
Adware:Adware/DeluxeComunications Not disinfected C:\WINNT\system32\bund1\Delcom.exe
Adware:Adware/Yazzle Not disinfected C:\WINNT\system32\bund1\Yzz.exe[¦++\Yazzle1670OinAdmin.exe]
Virus:Trj/Banker.GSP Disinfected C:\WINNT\system32\comdlg77.dll
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20070123-210730.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20070123-210731.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20070123-210732.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20070123-210755.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20070125-075540.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20070125-075701.backup
Virus:Trj/BZub.M Disinfected C:\WINNT\system32\ipv6mons.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\jkkkkhh.dll
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINNT\system32\jrd.dll
Virus:Trj/Alanchum.TM Disinfected C:\WINNT\system32\ma.exe.exe
Virus:Trj/Disablekey.BF Disinfected C:\WINNT\system32\max1d641.exe
Potentially unwanted tool:Application/ActivityMon Not disinfected C:\WINNT\system32\out.dll
Virus:Trj/Downloader.UO Disinfected C:\WINNT\system32\PlayBingoOnline.exe
Virus:Trj/Banker.GSP Disinfected C:\WINNT\system32\qwertybot.exe
Virus:Trj/Alanchum.TQ Disinfected C:\WINNT\system32\sc.exe
Adware:Adware/EliteBar Not disinfected C:\WINNT\system32\shawn_1.dll
Virus:Trj/Spammer.EV Disinfected C:\WINNT\system32\stsikgl.sys
Adware:Adware/nCase Not disinfected C:\WINNT\system32\thinInstOIT61MegaV2s.dll
Adware:Adware/Maxifiles Not disinfected C:\WINNT\system32\unsvchosts.exe
Virus:Bck/Xorpix.AG Disinfected C:\WINNT\system32\vexg3am1et3.exe
Virus:W32/Nuwar.AF.worm Disinfected C:\WINNT\system32\vexg4am1et2.exe
Virus:Trj/Clicker.SU Disinfected C:\WINNT\system32\vexg6ame4.exe
Virus:W32/Nuwar.T.worm Disinfected C:\WINNT\system32\vexga1me4t1.exe
Possible Virus. Not disinfected C:\WINNT\system32\vexga3me2.exe
Virus:W32/Sdbot.JYK.worm Disinfected C:\WINNT\system32\vexga4m1et4.exe
Virus:Trj/Downloader.MUT Disinfected C:\WINNT\system32\vexga8me6.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINNT\system32\vm_d_.dll
Virus:Trj/Downloader.MPR Disinfected C:\WINNT\system32\wa54c194.dll
Hacktool:Rootkit/Nurech.A Not disinfected C:\WINNT\system32\wincom32.sys
Virus:Trj/Alanchum.TM Disinfected C:\WINNT\via.exe



....and my HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:15:48 AM, on 3/21/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\apps\Highjack This\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1D84804A-B88B-48C2-9194-886FBB6F1509} - C:\WINNT\System32\jkkkkhh.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {696A736B-F756-FAB2-9D84-00ED27674D24} - C:\WINNT\System32\qgsyoij.dll
O2 - BHO: 0 - {796DAAED-3759-4DFB-E8B2-9038F4C9D340} - C:\Program Files\microsoft frontpage\lawuh.dll (file missing)
O2 - BHO: (no name) - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINNT\System32\msindeo.dll
O2 - BHO: (no name) - {F1D41EB6-1C21-4076-8791-D5614ABE5D2C} - C:\WINNT\System32\wvuss.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [zvshvil.dll] C:\WINNT\System32\rundll32.exe "C:\Documents and Settings\teddings.TEDDINGS3\Local Settings\Application Data\zvshvil.dll",kqvyofd
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://services.brg.com/CFIDE/classes/CFJava.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_01) - http://cellis1/CFIDE/classes/cf-j2re-win.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://fasterm/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://adeskftp.autodesk.com/webpub/whip/english/whip.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://services.brg.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brg.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = brg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = brg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = brg.com
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: jkkkkhh - C:\WINNT\SYSTEM32\jkkkkhh.dll
O20 - Winlogon Notify: wvuss - C:\WINNT\System32\wvuss.dll
O21 - SSODL: uiuYSUmqIVHa - {800B967F-2AA1-3CD5-8618-722E899BCE11} - C:\WINNT\System32\jrd.dll
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Apps\Ares\chatServer.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\System32\msasvc.exe (file missing)
O23 - Service: OracleClientCache80 - Unknown owner - C:\apps\orant\BIN\ONRSD80.EXE
O23 - Service: OracleWebAssistant - Oracle Corporation - C:\apps\orant\bin\OWASTsvr.exe
O23 - Service: SMS Remote Control Agent (Wuser32) - Unknown owner - C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe (file missing)
 
Welcome to the forum, I am going to be candid with you, beside this worm:
http://virusinfo.prevx.com/viruscenter.asp?GRP=4748300015 you also have a multiple Vundo infection and a load of other junk, and I am sure you know why.

tashi posted this information for you to view:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288

I will post the information so you can view it:
Update Your Windows XP. You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

and I might as well post this information for you also:One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks
 
pskelley said:
Welcome to the forum, I am going to be candid with you...
Click to expand...

pskelley...Thanks for being candid....I see a new Toshiba Satellite in my future. I don't think that it is worth messing with at this point. I can access my files and get them off of the computer in Safe Mode.

Sorry about the "Mandatory Steps" deal....I did read the post and tried to follow it....but I have Windows 2000 not XP...so my bad. I really thought that a disk from Kinko's caused this...all this happened as soon as I inserted the disk that they burned for me and launched some pictures. Do you think it was the P2P crap??

Anyway, the one good thing to happen from this was that I found this forum and some great information/advice. :bigthumb: Thanks
 
I apologize for thinking you were running XP, It does appear that there have been no updates installed for your browser?

Hard to say where this junk comes from, but p2p file sharing is a very good guess, Vundo has been the results of bad script normally, here is some information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Well I just bought the Toshiba Satellite A135-S4467 :crowned: . I am so worried now about security issues that I am curious what essential tools to guard my computer I should install. I think I might be too paranoid...I was thinking:

1. Spy Sweeper w/ Anti Virus (already purchased)
2. Spybot S&D (of course)
3. Ad-Aware
4. CCleaner

Do I have a hole somewhere in this plan...Spyblaster perhaps? Any help would be welcomed.

Thanks
 
Congratulations on your new computer. Let me say that the information you need to stay safe is available online if you search for it, but I must caution you that there is no silver bullet. I am going to post some links that will help, and I strongly suggest you save the links from experts I posted, those folks are very knowledgeable. The one point I must make is that no amount of software will replace good common sense. If you use a good layered protection, update your security programs as you should and develope good sound online surfing habits, that will go a long way towards keeping you safe online.
After you review those links, and the ones I am about to post, you have questions, post them and I will do my best to give you answers.

Strong passwords: How to create and use them
http://www.microsoft.com/athome/security/privacy/password.mspx

Retire your old computer safely
http://www.microsoft.com/athome/security/update/donatecomputer.mspx

. Security At Home site
http://www.microsoft.com/athome/security/default.mspx
. Security Tips & Talk blog
http://blogs.msdn.com/securitytipstalk/default.aspx
. RSS feed: Get security information delivered to you
http://www.microsoft.com/athome/security/rss/default.mspx
. Security video tutorials
http://www.microsoft.com/athome/security/videos/default.mspx
. Security community for home users
http://www.microsoft.com/athome/security/newsgroup/default.mspx
. Support for your computer security issues
http://www.microsoft.com/athome/security/support/default.mspx

Thanks
 
You must log in or register to reply here.
Back
Top